CEHA Privacy Policy

Effective Date: April 7, 2026

Introduction

Catholic Charities Employee Welfare Benefit Trust d/b/a Catholic Employer Health Alliance (“CEHA,” “we,” “us,” or “our”) provides the CEHA website, https://catholichealthtrust.org/, and any other websites, mobile applications, and digital properties and services hosted, provided, and maintained by CEHA (collectively, the “Services”) to you (“You” or “User,” collectively “Users”). This Privacy Policy applies to the collection of personal information by CEHA through the Services. When you access and use our Services, you acknowledge that you have read this Privacy Policy, understand it, and that you do not object to our processing activities.

This Privacy Policy does not apply to “protected health information” (“PHI”), as defined by the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”). Use and disclosure of PHI is governed by the HIPAA Notice of Privacy Practices for the Catholic Charities USA and Participating Employers Master Welfare Benefit Plan, available here.

What Do We Mean By “Personal Information” and “Personal Data”?

“Personal information” or “personal data” is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal information that is aggregated (e.g., compiled to create statistics that cannot identify a particular individual) or de-identified (all identifiers obscured such that it cannot be linked to a particular individual) is not considered “personal information” for the purposes of this Privacy Policy.

The Personal Information We Collect

The personal information we collect may include:

  • Your name, phone number, email address, organization name, and user preferences that you voluntarily provide to CEHA. We also collect your username or password used to create an account to access our HR Administrator’s Portal or any other password-protected areas or services.
  • Usage information, such as how you and your device interact with our Services (e.g., the pages you visit, the search terms you enter).
  • Information collected by cookies and similar technologies, collected by us and by third parties, such as your IP address (which may reveal general location), device and browser type, operating system, referring/exit pages, pages viewed, emails opened, links clicked, time and date of visits, session duration, and preference settings. See below for more information on how we use cookies and similar technologies in our Services.
  • Information from third parties that provide services on our behalf or integrate with the Services (e.g., website and marketing analytics providers), consistent with your settings and their privacy policies.
  • Information included in your employment application, such as job history and education information.
  • Information revealing your religious beliefs that you may provide to us.
  • Other information you provide to us via free text fields or otherwise when you communicate with us.

We may collect user-generated content through the Services, and that content may relate to an identifiable individual. Where user-generated content includes personal information, that information is covered by this Privacy Policy.

Some information we collect is not personally identifiable or is anonymous aggregate information about Users, including the frequency that certain webpages are accessed and the amount of time spent on individual webpages or sections of the Services, the number of visits to the Services, types of browsers used, cookie preferences and search terms entered by Users. Anonymous aggregate information is used in a collective manner, and no single person can be identified by the compiled information.

Collection Of Personal Information From Job Applicants

When you apply for a job with us, we may collect identifiers, professional or employment-related information, and education information from you via forms or otherwise, including:

  • Information you provide in connection with your application;
  • Information about you that is publicly available;
  • Information that you authorize us to collect via third parties, including former employers or references;
  • Any other information provided in connection with your application.

We only use your personal information to assess your skills in relation to the applicable job requirements. We may also use your personal information to contact you during the hiring process.

In certain circumstances, you may submit your application for employment through a third-party service that displays our job posting. We do not control the privacy practices of these third-party services. Please review their privacy policies carefully prior to submitting your application materials

 

Cookies and Other Similar Technologies

As indicated above, CEHA may use cookies, web beacons, tags, pixels, and similar tracking mechanisms (“cookies”) to enhance your experience while accessing the Services. A “cookie” is a small piece of data that is sent to your web browser from CEHA’s web server (or a third-party server hosting content published to the Services) and is stored on your computer’s hard drive. Cookies are used to collect information about Users to make web-surfing easier or more relevant to you (e.g., by saving your passwords or personal preferences and to ensure that you do not see the same ads repeatedly). Web beacons (or other tracking technology) may also be included in or associated with emails or other communications that you receive from us (or our service providers) in order to help us track your response and interests and to deliver you relevant content and services. We may also use social media “pixel tags,” on our Services to measure your use of our Services, tailor our Services to your interests, improve our Services, and communicate with you.

We, or third parties, may use session cookies or persistent cookies. Session cookies only last for the specific duration of your visit and are deleted when you close your browser. Persistent cookies remain on your device’s hard drive until you delete them or they expire. Different cookies are used to perform different functions.

We use analytics cookies to measure how you interact with our Services and to improve your user experience. In particular, we use Google Analytics. To learn more about Google Analytics privacy practices and opt-out mechanisms, please visit the Google Analytics Security and Privacy Principles page at https://support.google.com/analytics/answer/6004245?hl=en.

Google also provides a complete privacy policy and instructions on opting out of Google Analytics available at https://tools.google.com/dlpage/gaoptout.

There are several ways to manage cookies. If you do not wish to allow the use of cookies, you may configure your web browser to refuse to accept cookies. However, note that doing so may cause some areas of the Services to lose functionality.

The Services are being monitored by one or more third-party monitoring software(s) and may capture information about your visit that will help us improve the quality of our service. We may use session replay technology offered by third parties to monitor how you interact with our Services. The personal information collected by this technology may include which links you click on, pages and content you view, information that you type into our online forms, recordings of mouse clicks and movements, and information about your device or browser.

Methods of Opting Out

Some browsers offer a “do not track” (“DNT”) option. Because no common industry or legal standard for DNT has been adopted by industry groups, technology companies, or regulators, we do not respond to DNT signals. We will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.

Additionally, we may send you information regarding our Services, such as information about changes to our policies and other notices and disclosures required by law. Generally, Users cannot opt out of these communications, but they will be primarily informational in nature, rather than promotional.

Advertising Opt-Out.

In the US, you may opt-out of companies participating in the Digital Advertising Alliance (“DAA”) program by opting out at https://optout.aboutads.info. For information and to download DAA’s AppChoices tool, see https://youradchoices.com/appchoices. Note that opting out does not mean you will no longer receive online advertising. It does mean that the company or companies from which you opted out will no longer deliver ads tailored to your preferences and usage patterns.

Email Opt-Out.

At any time, you can add or remove your name from a CEHA marketing or mailing list by contacting us at learnmore@catholichealthtrust.org. We will endeavor to comply with your request as soon as reasonably practicable.

You may sign up to receive email or other communications from us. If you would like to discontinue receiving this information, you may update your email preferences by using the “Unsubscribe” link found in emails we send to you or by contacting us via the contact information below. If you unsubscribe from marketing emails, you may still receive transactional or relationship emails from us.

Use of Information Collected

We use the personal information we collect from you for the following purposes:

  • To provide, secure, analyze, and improve our Services.
  • To respond to your inquiries or otherwise communicate with you.
  • To process employment applications.
  • To improve User experiences by making our Services easier to use and navigate.
  • To provide a product or service you request from us.
  • For other legitimate business purposes.

Collection and Use of Information from Children

CEHA does not knowingly request, solicit, or collect personal information from anyone under the age of 13 without prior verifiable parental consent. We do not sell the personal data of a known minor (age 13 to 17) or process a minor’s personal data for targeted advertising without appropriate consent as required by applicable law.

If CEHA receives actual knowledge that it has collected personal information from someone under the age of 13 without the requisite and verifiable parental consent, CEHA will delete that information. If you become aware that a child under 13 has provided us with personal information without your consent, please contact us at learnmore@catholichealthtrust.org.

Disclosure of Personal Information

From time to time, CEHA may be required to disclose personal information in response to a valid court order, subpoena, government investigation or as otherwise required by law, or if CEHA reasonably believes that a User has committed unlawful acts or acts that may endanger the health or safety of another User or the general public. CEHA also reserves the right to report to law enforcement agencies any activities that CEHA, in good faith, believes to be unlawful.

We may disclose information to prevent or detect fraud or to address technical issues and if we believe it is necessary to investigate, prevent, or take action regarding situations that involve abuse of the Services or their infrastructure.

CEHA may also disclose personal information to third-party service providers, agents or independent contractors who help us maintain our Services and provide other administrative support to us.

We may process and disclose information in an aggregated, anonymous, or de-identified manner, where the information is disclosed as part of a statistical report and does not contain personal information.

Finally, we may share your personal information in the course of any direct or indirect reorganization process including, but not limited to, mergers, acquisitions and sales of all or substantially all of our assets.

Your State Privacy Rights

Depending on applicable state law, you may have certain rights, as outlined below. We will fulfill your request to exercise any of these rights within the applicable time period prescribed by such laws. You can exercise these rights by contacting us as outlined below.

Depending on where you live, you may have the following rights:

  • The right to opt out of “sales” of personal information and use of your personal information for “targeted advertising,” as those terms are defined under applicable law.
  • The right to opt out of “profiling” under certain circumstances, as defined under applicable law.
  • The right to access and the right to confirm processing of your personal information.
  • The right to obtain a copy of, or representative summary of, your personal information in a portable and, to the extent technically feasible, readily usable format.
  • The right to obtain a list of third parties to which we have disclosed your personal information or the right to request a list of the specific third parties to which we have disclosed your personal information.
  • The right to question the result of profiling, where your personal information is profiled in furtherance of decisions that produce legal or similarly significant effects concerning you. This includes the right to be informed of the reason the profiling resulted in the decision, be informed of what actions you might have taken and can take to secure a different decision in the future. You may also have the right to review the personal information used in the profiling and have the data corrected and the profiling decision reevaluated based upon any corrected personal information.
  • The right to correct personal information under certain circumstances.
  • The right to delete personal information under certain circumstances.

Submit a Consumer Privacy Request. To exercise any of the above rights, please submit a verifiable consumer privacy request to CEHA by emailing learnmore@catholichealthtrust.org or by calling 571-527-3282.

Verification. We cannot respond to your request to know, access, question the result of profiling, limit the use of, correct, or delete your personal information or provide you with a copy of your personal information unless we can verify your identity and your authority to make the request and confirm that the personal information relates to you. A verifiable consumer privacy request must:

  • provide sufficient information that allows us to reasonably verify you are the person, or an authorized representative of the person, about whom we have collected personal information; and
  • describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

Authorized Agent. You may, under certain circumstances, authorize another individual or a business, called an Authorized Agent, to make a verifiable consumer privacy request on your behalf. If you wish to have an Authorized Agent make a verifiable consumer privacy request on your behalf, they will need to provide us with sufficient written proof that you have designated them as your Authorized Agent, and we will still require you to provide sufficient information to allow us to reasonably verify that you are the person about whom we collected personal information.

CEHA’s Response. We endeavor to respond to a verifiable consumer privacy request with the time period prescribed by law. If we require more time, we will notify you in writing of the reason and extension period. We will deliver our written response by mail or electronically, at your option. If we cannot comply with part or all of your request, we will explain the reasons in our response.

We do not charge a fee to process or respond to your verifiable consumer privacy request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Appeals. You also have the right to appeal a denial of your request by contacting us as described in our notice of denial.

California “Shine the Light” Law.

California residents have the right to request certain information regarding our disclosure of personal information to third parties for their own direct marketing purposes, if we do so. To make such a request, please contact us at learnmore@catholichealthtrust.org or by calling 571-527-3282. Please indicate in your request that you are a California resident making a “Shine the Light” inquiry. You also may opt out of any such sharing of your personal information to third parties for their own direct marketing purposes by sending an email to learnmore@catholichealthtrust.org or by calling 571-527-3282.

Nevada Disclosure.

Residents of Nevada have the right to opt out of the sale of certain personal information to third parties. We currently do not sell your personal information as defined by Nevada law.

Third-Party Links

Our Services may contain links to other websites and services. We are not responsible for the privacy practices or content of such other websites. If you have any questions about how these other websites use your information, you should review their policies and contact them directly.

Notice Regarding Public Posting Areas

Please note that any information you include in a message you post to any chat room, forum or other public posting area is available to anyone with internet access. If you do not want people to know your email address, for example, do not include it in any message you post publicly. PLEASE BE EXTREMELY CAREFUL WHEN DISCLOSING ANY INFORMATION IN CHAT ROOMS, FORUMS AND OTHER PUBLIC POSTING AREAS. WE ARE NOT RESPONSIBLE FOR THE USE BY OTHERS OF INFORMATION THAT YOU DISCLOSE IN CHAT ROOMS, FORUMS AND OTHER PUBLIC POSTING AREAS.

Disclaimer Regarding Video Content

The Services may contain video content, audiovisual content, or content of a like nature (collectively, “Video Content”). Video Content is provided for the purpose of enhancing the user experience on the Services and is, therefore, provided in connection with our business activities related to providing content on the Services. CEHA is not in the business of renting, selling, or delivering Video Content in a commercial manner. By using the Services, you agree that CEHA is not a “video tape service provider” as defined in the Video Privacy Protection Act (“VPPA”), 18 U.S.C.A. § 2710 or similar state laws.

Further, the Services may utilize online tracking technologies and code-based tools, including social media pixels, software development kits, and cookies that track information about your activity on the Services (collectively, “Targeting Tools”). Targeting Tools may result in information about your activity on the Services being transmitted from your browser to CEHA and to third parties, which, in turn, may result in the display of targeted advertisements on third-party websites. Whether Targeting Tools on the Services result in your browser’s transmission of information to third parties depends on a number of factors that may be outside of CEHA’s knowledge or control, including what third-party websites you use, what information you have provided to such third parties, and whether (and the extent to which) you have limited the use of cookies by the operators of third-party websites. As such, you hereby acknowledge and agree that, if Targeting Tools on the Services result in your browser’s transmission of information to third-party websites: (i) such transmissions do not constitute a “knowing disclosure” of “personally identifiable information” by CEHA under the VPPA; and (ii) you will not initiate any litigation or otherwise assert any claim against CEHA based, in whole or in part, on such transmissions, whether under the VPPA, the California Invasion of Privacy Act (Cal. Penal Code § 630 et seq.), or any other statute, regulation, or cause of action.

Security

We implement reasonable security measures to ensure the security of your personal information. Please understand, however, that no data transmissions over the internet can be guaranteed to be 100% secure. Consequently, we cannot ensure or warrant the security of any information you transmit to us, and you should understand that any information that you transfer to us is done at your own risk. If we learn of a security systems breach, we may attempt to notify you electronically so that you can take appropriate protective steps.

By using our Services or providing personal information to us, you agree that we can communicate with you electronically regarding security, privacy and administrative issues relating to your use of the Services. We may post a notice via our website if a security breach occurs. We may also send an email to you at the email address you have provided to us in these circumstances. Depending on where you live, you may have a legal right to receive notice of a security breach in writing.

Data Retention

We may retain your information for as long as needed to provide you with the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. In certain circumstances, we may be required by law to retain your personal information, or may need to retain your personal information in order to continue providing access to the Services. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information; the potential risk of harm from unauthorized use or disclosure of the personal information; the purpose for which we use the personal information; whether we can achieve the purposes through other means; and the applicable legal requirements. If we de-identify personal information, we will maintain and use the information in de-identified form and not attempt to re-identify the information except as required or permitted by law.

Even if you delete an account you have with us, keep in mind that the deletion by our third-party providers may not be immediate, and that the deleted information may persist in backup copies for a reasonable period of time.

International Data Transfers

CEHA is based in the United States. If you choose to provide us with personal information, please understand that your personal information may be transferred to the U.S., and we may transfer your personal information to our affiliates and subsidiaries or to other third parties, across borders, and from your country or jurisdiction to other countries or jurisdictions around the world. If you are visiting from the European Union or other regions with laws governing data collection and use that may differ from U.S. law, please note that you are transferring your personal information to the U.S. and other jurisdictions that may not have the same data protection laws as the EU. We put in place appropriate operational, procedural and technical measures in order to ensure the protection of your personal information. You acknowledge you understand that by providing your personal information: (i) your personal information will be used for the uses identified above in accordance with this Privacy Policy; and (ii) your personal information may be transferred to the U.S. and other jurisdictions as indicated above, in accordance with applicable law.

HIPAA NPP Notice

Your rights and our responsibilities are further set forth in the HIPAA NPP Notice, which can be accessed through this link.

Changes to This Privacy Policy

We reserve the right to change this Privacy Policy from time to time. When we do, we will also revise the “Effective Date” at the top of this Privacy Policy. If we make material changes to the Privacy Policy, we will notify you by placing a prominent notice on our Services and/or via email at the email address we have on file for you. We encourage you to periodically review this Privacy Policy to keep up to date on how we are handling your personal information. In addition, any and all references in this Privacy Policy to the HIPAA NPP Notice are to the NPP Notice as then in effect.

Contact Us

If you have any questions, comments or concerns about our privacy practices or this Privacy Policy, please contact us at:

Catholic Employer Health Alliance
P.O. Box 1177
Leesburg, VA 20175
learnmore@catholichealthtrust.org
571-527-3282